One does not commit or compile credentials
Context:
This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.
One does not commit or compile credentials
Context:
This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.
I also personally ask myself how a PyPI Admin & Director of Infrastructure can miss out on so many basic coding and security relevant aspects:
On the other hand what went well:
Yes kids, the only stuff in ANY repo (public or otherwise) should be source code.
If it is compiled, built, or otherwise modified by any process outside of you the developer typing in your source code editor, it needs to be excluded/ignored from being committed. No excuses. None. Nope, not even that one.
No. 👏 Excuses. 👏
Two choices: Either the production software isn’t in the exact state the repo was when the software was built. Or I can’t get build timestamps in the software.
To err is to be human… right?
To be honest, this doesn’t instill me with much confidence, but who am I? If someone looked at my OpSec, probably they’d be horrified.
Anti Commercial-AI license
I don’t understand; I can push to GitHub using https creds or an ssh key without creating access tokens.
Isn’t that what Python is all about?
I feel seen.
Isn’t this why Docker exists? It’s “works on my machine”-as-a-service.